[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Open Source Code Analysis Tools
- From: "Truxaw, Matthew" <mtruxaw@xxxxxxxxxxx>
- Subject: RE: [WEB SECURITY] Open Source Code Analysis Tools
- Date: Tue, 22 Apr 2008 13:03:14 -0700
------_=_NextPart_001_01C8A4B3.E61D77D8
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
This is a compilation of the emails I have received regarding code scanni=
ng tools (primarily open source with a few others). I have not reviewed =
or verified most of this information. I have not even followed all the l=
inks below. I am hoping to find some time in the coming weeks to dig in=
to this further. If you have strong feelings for or against any of these=
=20tools or other tools, let me know.
=20
=20
OWASP Lapse Project <http://www.owasp.org/index.php/Category:OWASP_LAPSE_=
Project> http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project <htt=
p://www.owasp.org/index.php/Category:OWASP_LAPSE_Project=A0> =20
LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. =
LAPSE is designed to help with the task of auditing Java J2EE application=
s for common types of security vulnerabilities found in Web applications.=
=20
Pmd
URL: http://sourceforge.net/projects/pmd <http://sourceforge.net/projects=
/pmd>=20
* Java-based static analysis tool
* Intended to find correctness and complexity issues, also finds some sec=
urity issues
Findbugs URL: http://findbugs.sourceforge.net/ <http://findbugs.sourcefor=
ge.net/> =20
Java-based static analysis tool
Intended to find correctnessissues, also identifies some security issues =
=20
JeSS: http://sourceforge.net/project/showfiles.php?group_id=3D141386 <htt=
p://sourceforge.net/project/showfiles.php?group_id=3D141386>=20
JeSS is a plugin for the Eclipse IDE. It is a static security scanner for=
=20Java source code. The plugin creates an AST for the source code and th=
en uses the visitor pattern to find patterns in the AST that could be pos=
sible security bugs.
=20
milk: http://milk.sourceforge.net/ <http://milk.sourceforge.net/>=20
Milk is a security source code assessment tool using Orizon as API. Milk =
scans java and .NET source file in order to perform a security code revie=
w trying to point out safe coding best practices misuse
=20
=20
BogoSec : Source Code Security Quality Metric http://bogosec.sourceforge.=
net/ <http://bogosec.sourceforge.net/>=20
BogoSec aims to increase awareness regarding code security vulnerabilitie=
s, while encouraging developers to produce more secure code over time. By=
=20simplifying the code scanning process, BogoSec achieves a goal of allo=
wing developers to scan their code regularly and more effectively.=20
Users also can benefit by using BogoSec in another way; comparing differe=
nt available packages or consecutive releases of a package and identifyin=
g trends in the security level will enable users to make more educated so=
ftware choices.=20
=20
BogoSec is a pluggable flexible framework.=20
It currently has plugins to support the following three scanners:=20
=20=20
Flawfinder <http://www.dwheeler.com/flawfinder> http://www.dwheeler.com/f=
lawfinder <http://www.dwheeler.com/flawfinder/> /
RATS http://www.securesw.com/rats/ <http://www.securesw.com/rats/>=20
ITS4 http://www.cigital.com/its4/ <http://www.cigital.com/its4/>=20
=20
Hammurapi
URL: http://www.hammurapi.org/ <http://www.hammurapi.org/> =20
There are a lot of tools for code analysis, not only java and .net, but a=
lso asp, php, c and so on. Enjoy it : http://www.nosec.org/web/index.php=
?q=3Dcodereview
(SWAAT), you can download it from our site. http://securitycompass.com/in=
ner_swaat.shtml
=20There's some good material from the speaker at the last OWASP-Austin (=
TX) meeting. He has links to open source Java and .Net static analysis to=
ols. The presentation also includes some general info on static vs dynami=
c analysis: http://denimgroup.typepad.com/denim_group/2008/03/static-anal=
ysis.html <http://denimgroup.typepad.com/denim_group/2008/03/static-analy=
sis.html>=20
=09From this presentation:
=09* FindBugs (Java) findbugs.sourceforge.net
=09* PMD (Java) pmd.sourceforge.net
=09* FxCop(.NET) www.gotdotnet.com/Team/FxCop/ =20
=09FxCop is a code analysis tool that checks .NET managed code assemblies=
=20for conformance to the Microsoft .NET Framework Design Guidelines.
=09http://www.microsoft.com/downloads/details.aspx?familyid=3D3389F7E4-0E=
55-4A4D-BC74-4AEABB17997B&displaylang=3Den=20
=09* XSSDetect (.NET) blogs.msdn.com/ace_team/archive/2007/10/22/xssdetec=
t-public-beta-now-available.aspx=20
Commercial Products:
I got a few recommendations for Fortify http://www.fortifysoftware.com =
<http://www.fortifysoftware.com/>=20
I got a couple of recommendations for XSS Detect for .NET as well. This=
=20beta version appears free to download, at least for now.
XSSDetect http://www.microsoft.com/downloads/details.aspx?FamilyID=3D19a9=
e348-bdb9-45b3-a1b7-44ccdcb7cfbe&displaylang=3Den <http://www.microsoft.c=
om/downloads/details.aspx?FamilyID=3D19a9e348-bdb9-45b3-a1b7-44ccdcb7cfbe=
&displaylang=3Den>=20
=20
XSSDetect is a static code analysis tool that helps identify Cross-Site S=
cripting security flaws found within Web applications. It is able to scan=
=20compiled managed assemblies (C#, Visual Basic .NET, J#) and analyze da=
taflow paths from sources of user-controlled input to vulnerable outputs.=
=20It also detects whether proper encoding or filtering has been applied =
to the data and will ignore such "sanitized" paths.
=20
Others mentioned :
Ouncelabs,=20
KlocWork
Regards,
=20
Matt Truxaw
Development Manager
=20
**********************************************************************
This message contains confidential information intended only for the use =
of the addressee(s) named above and may contain information that is legal=
ly privileged. If you are not the addressee, or the person responsible f=
or delivering it to the addressee, you are hereby notified that reading, =
disseminating, distributing or copying this message is strictly prohibite=
d. If you have received this message by mistake, please immediately noti=
fy us by replying to the message and delete the original message immediat=
ely thereafter.
Thank you.
=0D
=20 FADLD Tag
**********************************************************************
------_=_NextPart_001_01C8A4B3.E61D77D8
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML dir=3Dltr><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-=
1">
<META content=3D"MSHTML 6.00.6000.16640" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2>
<DIV><SPAN class=3D326352719-22042008>This is a compilation of the emails=
=20I have=20
received regarding code scanning tools (primarily open source with a few =
others). I have not reviewed or verified <SPAN=20
class=3D880190120-22042008>most </SPAN>of this information. I have =
not even=20
followed all the links below. I am hoping to find some time i=
n the=20
coming weeks to dig into this further. If you have strong feelings =
for or=20
against any of these tools or other tools, let me know<SPAN=20
class=3D880190120-22042008>.</SPAN></SPAN></DIV>
<DIV><SPAN class=3D326352719-22042008></SPAN> </DIV>
<DIV><SPAN class=3D326352719-22042008></SPAN> </DIV>
<DIV><FONT size=3D+0><SPAN class=3D326352719-22042008><FONT color=3D#0000=
00><FONT=20
size=3D2><STRONG>OWASP Lapse Project</STRONG> <SPAN class=3D326352719-220=
42008><A=20
href=3D"http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project";><FON=
T=20
size=3D2><A=20
href=3D"http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project =
">http://www.owasp.org/index.php/Category:OWASP_LAPSE_Project</FONT></A><=
/SPAN></FONT><FONT=20
size=3D2> </FONT></A></FONT></SPAN></FONT></DIV>
<DIV><FONT size=3D+0><SPAN class=3D326352719-22042008><FONT size=3D2><FON=
T=20
color=3D#000000>LAPSE stands for a <U>L</U>ightweight <U>A</U>nalysis for=
=20
<U>P</U>rogram <U>S</U>ecurity in <U>E</U>clipse. LAPSE is designed to he=
lp with=20
the task of auditing <B>Java J2EE</B> applications for common types of se=
curity=20
vulnerabilities found in Web applications.<SPAN class=3D326352719-2204200=
8>=20
</SPAN></FONT></FONT></DIV>
<P></SPAN></FONT><FONT size=3D+0><SPAN class=3D326352719-22042008><FONT s=
ize=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><?xml:namespac=
e prefix=20
=3D o /><o:p><FONT color=3D#000000><STRONG>Pmd<BR></STRONG>URL: </FONT><A=
=20
title=3Dblocked::http://sourceforge.net/projects/pmd=20
href=3D"http://sourceforge.net/projects/pmd"; target=3D_blank><FONT=20
title=3Dblocked::http://sourceforge.net/projects/pmd=20
color=3D#000000>http://sourceforge.net/projects/pmd</FONT></A><BR><FONT=20
color=3D#000000>=95 Java-based static analysis tool<BR>=95 Intended to fi=
nd=20
correctness and complexity issues, also finds some security issues</FONT>=
</P>
<DIV></o:p></SPAN></FONT>
<P class=3DMsoNormal><FONT color=3D#000000><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><STRONG>F=
indbugs</STRONG><SPAN=20
class=3D326352719-22042008> <SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p>URL: <A=20
title=3Dblocked::http://findbugs.sourceforge.net/=20
href=3D"http://findbugs.sourceforge.net/"; target=3D_blank><FONT=20
title=3Dblocked::http://findbugs.sourceforge.net/>http://findbugs.sourcef=
orge.net/</FONT></A>=20
</o:p></SPAN></SPAN><BR></o:p></SPAN></FONT><FONT size=3D+0><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><FONT=20
color=3D#000000>Java-based static analysis tool<BR>Intended to find=20
correctnessissues, also identifies some security issues<SPAN=20
class=3D326352719-22042008> =20
</SPAN></FONT></o:p></SPAN></o:p></SPAN></FONT></P><FONT size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p>
<DIV><SPAN class=3D031310422-15042008><FONT size=3D2><FONT=20
color=3D#000000><STRONG>JeSS</STRONG>: </FONT><A=20
title=3Dblocked::http://sourceforge.net/project/showfiles.php?group_id=3D=
141386=20
href=3D"http://sourceforge.net/project/showfiles.php?group_id=3D141386";><=
FONT=20
color=3D#000000>http://sourceforge.net/project/showfiles.php?group_id=3D1=
41386</FONT></A></FONT></SPAN></DIV>
<DIV><SPAN class=3D031310422-15042008><FONT color=3D#000000 size=3D2>JeSS=
=20is a plugin=20
for the Eclipse IDE. It is a static security scanner for Java source code=
. The=20
plugin creates an AST for the source code and then uses the visitor patte=
rn to=20
find patterns in the AST that could be possible security=20
bugs.</FONT></SPAN></DIV></o:p></SPAN></FONT><FONT size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p>
<DIV><SPAN class=3D031310422-15042008><FONT size=3D2>
<DIV><SPAN class=3D031310422-15042008><FONT color=3D#000000=20
size=3D2><STRONG></STRONG></FONT></SPAN> </DIV>
<DIV><SPAN class=3D031310422-15042008><FONT size=3D2><FONT=20
color=3D#000000><STRONG>milk</STRONG>: </FONT><A=20
title=3Dblocked::http://milk.sourceforge.net/=20
href=3D"http://milk.sourceforge.net/";><FONT=20
color=3D#000000>http://milk.sourceforge.net/</FONT></A></FONT></SPAN></DI=
V>
<DIV><SPAN class=3D031310422-15042008><FONT color=3D#000000>Milk is a sec=
urity=20
source code assessment tool using Orizon as API. Milk scans java and .NET=
=20source=20
file in order to perform a security code review trying to point out safe =
coding=20
best practices=20
misuse</FONT></SPAN></FONT></SPAN></DIV></DIV></o:p></SPAN></FONT><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p>
<DIV><SPAN class=3D031310422-15042008><STRONG><FONT=20
color=3D#000000></FONT></STRONG></SPAN> </DIV>
<DIV><SPAN class=3D031310422-15042008><STRONG><FONT=20
color=3D#000000></FONT></STRONG></SPAN> </DIV>
<DIV><SPAN class=3D031310422-15042008><FONT color=3D#000000><STRONG>BogoS=
ec=20
</STRONG>: Source Code Security Quality Metric </FONT><A=20
title=3Dblocked::http://bogosec.sourceforge.net/=20
href=3D"http://bogosec.sourceforge.net/";><FONT=20
color=3D#000000>http://bogosec.sourceforge.net/</FONT></A></SPAN></DIV>
<DIV><SPAN class=3D031310422-15042008><FONT color=3D#000000>BogoSec aims =
to increase=20
awareness regarding code security vulnerabilities, while encouraging deve=
lopers=20
to produce more secure code over time. By simplifying the code scanning p=
rocess,=20
BogoSec achieves a goal of allowing developers to scan their code regular=
ly and=20
more effectively. <BR>Users also can benefit by using BogoSec in another =
way;=20
comparing different available packages or consecutive releases of a packa=
ge and=20
identifying trends in the security level will enable users to make more e=
ducated=20
software choices. </FONT></SPAN></DIV>
<DIV><SPAN class=3D031310422-15042008><FONT=20
color=3D#000000></FONT></SPAN> </DIV>
<DIV><SPAN class=3D031310422-15042008><FONT color=3D#000000>BogoSec is a =
pluggable=20
flexible framework. <BR>It currently has plugins to support the following=
=20three=20
scanners: </FONT></SPAN></DIV>
<DIV><SPAN class=3D031310422-15042008><SPAN class=3D031310422-15042008><F=
ONT=20
color=3D#000000> </FONT>
<DIV><FONT color=3D#000000>Flawfinder </FONT><A=20
title=3Dblocked::http://www.dwheeler.com/flawfinder=20
href=3D"http://www.dwheeler.com/flawfinder";><FONT=20
title=3Dblocked::http://www.dwheeler.com/flawfinder><A=20
title=3Dblocked::http://www.dwheeler.com/flawfinder/=20
href=3D"http://www.dwheeler.com/flawfinder/";><FONT=20
color=3D#000000>http://www.dwheeler.com/flawfinder</FONT></FONT></A><FONT=
=20
color=3D#000000>/</A><SPAN class=3D031310422-15042008></SPAN></FONT></DIV=
>
<DIV><SPAN class=3D031310422-15042008><FONT color=3D#000000>RATS </FONT><=
A=20
title=3Dblocked::http://www.securesw.com/rats/=20
href=3D"http://www.securesw.com/rats/";><FONT=20
color=3D#000000>http://www.securesw.com/rats/</FONT></A></SPAN></DIV>
<DIV><SPAN class=3D031310422-15042008><FONT color=3D#000000>ITS4 </FONT><=
A=20
title=3Dblocked::http://www.cigital.com/its4/=20
href=3D"http://www.cigital.com/its4/";><FONT=20
color=3D#000000>http://www.cigital.com/its4/</FONT></A></SPAN></DIV></SPA=
N></SPAN></DIV></o:p></SPAN><FONT=20
size=3D+0><SPAN style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial=
"><o:p>
<P class=3DMsoNormal><FONT color=3D#000000><FONT size=3D2><SPAN lang=3DEN=
-US=20
style=3D"FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: Arial"></SPAN></FONT><=
/FONT> </P>
<P class=3DMsoNormal><FONT color=3D#000000><FONT size=3D2><SPAN lang=3DEN=
-US=20
style=3D"FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: Arial"><SPAN=20
class=3D326352719-22042008><FONT size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><?xml:namespac=
e prefix=20
=3D o ns =3D "urn:schemas-microsoft-com:office:office" /><o:p><FONT=20
color=3D#000000>Hammurapi<BR>URL: </FONT><A=20
title=3Dblocked::http://www.hammurapi.org/ href=3D"http://www.hammurapi.o=
rg/"=20
target=3D_blank><FONT title=3Dblocked::http://www.hammurapi.org/=20
color=3D#000000>http://www.hammurapi.org/</FONT></A><FONT color=3D#000000=
> =20
</FONT><BR></o:p></SPAN></FONT><FONT size=3D2><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><FONT=20
color=3D#000000></FONT></o:p></SPAN></FONT></SPAN></SPAN></FONT></FONT></=
P>
<P class=3DMsoNormal><FONT color=3D#000000><FONT size=3D2><SPAN lang=3DEN=
-US=20
style=3D"FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: Arial">T</SPAN></FONT>=
<FONT=20
size=3D2><SPAN lang=3DEN-US=20
style=3D"FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: Arial">here are a lot =
of tools=20
for code analysis, not only java and .net, but also asp, php, c and so on=
. Enjoy=20
it :<SPAN class=3D326352719-22042008> </SPAN></SPAN><SPAN lang=3DEN=
-US=20
style=3D"FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: Arial"><A=20
href=3D"http://www.nosec.org/web/index.php?q=3Dcodereview";>http://www.nos=
ec.org/web/index.php?q=3Dcodereview</A></SPAN></FONT></FONT></P>
<P class=3DMsoNormal><SPAN lang=3DEN-US=20
style=3D"FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><FONT size=
=3D2><FONT=20
color=3D#000000><FONT face=3DCalibri><SPAN class=3D326352719-22042008>(</=
SPAN>SWAAT),=20
you can download it from our site.</FONT> <SPAN=20
style=3D"FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-se=
rif'">http://securitycompass.com/inner_swaat.shtml<o:p></o:p></SPAN></FON=
T></FONT></P>
<P class=3DMsoNormal><SPAN=20
style=3D"FONT-SIZE: 11pt; COLOR: #1f497d; FONT-FAMILY: 'Calibri','sans-se=
rif'"><o:p><FONT=20
color=3D#000000 size=3D2> </FONT></o:p></SPAN></o:p></SPAN><SPAN lan=
g=3DEN-US=20
style=3D"FONT-SIZE: 9pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><FONT=20
color=3D#000000><FONT size=3D2>There's some good material from the speake=
r at the=20
last OWASP-Austin<SPAN class=3D326352719-22042008> </SPAN></FONT></FONT><=
FONT=20
size=3D2><FONT color=3D#000000>(TX) meeting. He has links to open source =
Java and=20
.Net static analysis tools. The presentation also includes some general i=
nfo on=20
static vs dynamic analysis:<SPAN class=3D326352719-22042008>=20
</SPAN></FONT></FONT><A=20
href=3D"http://denimgroup.typepad.com/denim_group/2008/03/static-analysis=
.html"><U><FONT=20
color=3D#000000=20
size=3D2>http://denimgroup.typepad.com/denim_group/2008/03/static-analysi=
s.html</FONT></U></A></P>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
=20 <P><FONT color=3D#000000 size=3D2><SPAN class=3D326352719-22042008>Fr=
om this=20
=20 presentation:</SPAN></FONT></P>
=20 <P><FONT color=3D#000000 size=3D2><SPAN=20
=20 class=3D326352719-22042008></SPAN></FONT><FONT size=3D+0><SPAN=20
=20 class=3D326352719-22042008><FONT size=3D2><FONT color=3D#000000>=95 F=
indBugs=20
=20 (Java)<SPAN class=3D326352719-22042008>=20
=20 findbugs.sourceforge.net</P></SPAN></FONT></FONT>
=20 <P align=3Dleft><FONT size=3D2><FONT color=3D#000000>=95 PMD (Java)<S=
PAN=20
=20 class=3D326352719-22042008> pmd.sourceforge.net</P></SPAN></FON=
T></FONT>
=20 <P align=3Dleft><FONT size=3D2><FONT color=3D#000000>=95 FxCop(.NET)<=
SPAN=20
=20 class=3D326352719-22042008> <A=20
=20 href=3D"http://www.gotdotnet.com/Team/FxCop/";>www.gotdotnet.com/Team/=
FxCop/</A> =20
=20 <BR><SPAN>FxCop is a code analysis tool that checks .NET managed code=
=20
=20 assemblies for conformance to the Microsoft .NET Framework Design=20
=20 Guidelines.<BR><A=20
=20 href=3D"http://www.microsoft.com/downloads/details.aspx?familyid=3D33=
89F7E4-0E55-4A4D-BC74-4AEABB17997B&displaylang=3Den">http://www.micro=
soft.com/downloads/details.aspx?familyid=3D3389F7E4-0E55-4A4D-BC74-4AEABB=
17997B&displaylang=3Den</A>=20
=20 </SPAN></P></SPAN></FONT></FONT>
=20 <P><FONT size=3D2><FONT color=3D#000000>=95 XSSDetect (.NET)<SPAN=20
=20 class=3D326352719-22042008>=20
=20 blogs.msdn.com/ace_team/archive/2007/10/22/xssdetect-public-beta-now-=
available.aspx=20
=20 </SPAN><SPAN=20
class=3D326352719-22042008></P></BLOCKQUOTE></SPAN></FONT></FONT></SPAN><=
/FONT></o:p></SPAN></o:p></SPAN></FONT>
<P class=3DMsoNormal><FONT size=3D+0><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><SPAN=20
class=3D326352719-22042008><FONT color=3D#000000 size=3D4>Commercial=20
Products:</FONT></SPAN></o:p></SPAN></FONT></P>
<P class=3DMsoNormal><FONT size=3D+0><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><SPAN=20
class=3D326352719-22042008></SPAN></o:p></SPAN></FONT><FONT size=3D+0><SP=
AN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><FONT=20
color=3D#000000><SPAN class=3D326352719-22042008>I got a few recomme=
ndations=20
for </SPAN> <SPAN class=3D326352719-22042008>Fortify =20
</SPAN></FONT></o:p></SPAN></FONT><FONT size=3D+0><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><SPAN=20
class=3D326352719-22042008><A href=3D"http://www.fortifysoftware.com/";><U=
><FONT=20
size=3D2><FONT=20
color=3D#000000>http://www.fortifysoftware.com</FONT></U></FONT></A></P><=
/SPAN></o:p></SPAN></FONT></SPAN></FONT></DIV>
<DIV><FONT face=3DArial><FONT size=3D2><FONT color=3D#000000><SPAN=20
class=3D326352719-22042008>I got a couple of recommendations for XSS Dete=
ct=20
for </SPAN> .NET<SPAN class=3D326352719-22042008> as well. Thi=
s beta=20
version appears free to download, at least for=20
now.</SPAN></FONT></FONT></FONT></DIV>
<DIV><FONT face=3DArial><FONT size=3D2><SPAN class=3D326352719-22042008>
<DIV class=3DdownloadInfo><A name=3DDescription></A></SPAN></FONT></FONT>=
<FONT=20
face=3DArial color=3D#000000 size=3D2>XSSDetect </FONT><A=20
href=3D"http://www.microsoft.com/downloads/details.aspx?FamilyID=3D19a9e3=
48-bdb9-45b3-a1b7-44ccdcb7cfbe&displaylang=3Den"><U><FONT=20
face=3DArial color=3D#000000=20
size=3D2>http://www.microsoft.com/downloads/details.aspx?FamilyID=3D19a9e=
348-bdb9-45b3-a1b7-44ccdcb7cfbe&displaylang=3Den</FONT></U></A></DIV>=
</DIV>
<DIV><FONT face=3DArial size=3D2>
<DIV class=3DdownloadInfo><A name=3DDescription><FONT=20
color=3D#000000></FONT></A><SPAN></SPAN> </DIV>
<DIV class=3DdownloadInfo><SPAN><FONT color=3D#000000>XSSDetect is a stat=
ic code=20
analysis tool that helps identify Cross-Site Scripting security flaws fou=
nd=20
within Web applications. It is able to scan compiled managed assemblies (=
C#,=20
Visual Basic .NET, J#) and analyze dataflow paths from sources of=20
user-controlled input to vulnerable outputs. It also detects whether prop=
er=20
encoding or filtering has been applied to the data and will ignore such=20
"sanitized" paths.</FONT></SPAN></DIV></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#000000=20
size=3D2></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft>
<P><FONT color=3D#000000><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><SPAN=20
class=3D326352719-22042008><FONT color=3D#000000>Others mentioned</FONT>&=
nbsp;<FONT=20
color=3D#000000>:</FONT></SPAN></o:p></SPAN></FONT></P>
<P><FONT color=3D#000000><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><SPAN=20
class=3D326352719-22042008>Ouncelabs, </SPAN></o:p></SPAN></FONT></P>
<P><FONT color=3D#000000><SPAN=20
style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><o:p><SPAN=20
class=3D326352719-22042008>KlocWork</SPAN></o:p></SPAN></FONT></P></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial size=3D2>Regards,</FONT></=
DIV>
<DIV dir=3Dltr align=3Dleft><STRONG><FONT face=3DArial=20
size=3D2></FONT></STRONG> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial size=3D2><STRONG>Matt=20
Truxaw</STRONG></FONT></DIV>
<DIV align=3Dleft><FONT face=3DArial size=3D2>Development=20
Manager</FONT></DIV></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2></FONT> </DIV>
<P>**********************************************************************=
<BR>This=20
message contains confidential information intended only for the use of th=
e=20
addressee(s) named above and may contain information that is legally=20
privileged. If you are not the addressee, or the person responsible=
=20for=20
delivering it to the addressee, you are hereby notified that reading,=20
disseminating, distributing or copying this message is strictly=20
prohibited. If you have received this message by mistake, please=20
immediately notify us by replying to the message and delete the original =
message=20
immediately thereafter.</P>
<P>Thank you.</P>
<P><FONT=20
size=3D1> &nbs=
p;  =
; =
&=
nbsp; &n=
bsp; &nb=
sp; &nbs=
p;  =
; =
=
FADLD=20
Tag</FONT><BR>***********************************************************=
***********</P>
</BODY></HTML>
------_=_NextPart_001_01C8A4B3.E61D77D8--
Brought to you by http://www.webappsec.org
Search this site
|